[rt-users] How to make LDAP authentication in RT3
steve
steve at n2sw.com
Mon Jan 31 09:32:05 EST 2005
Francisco Javier Martínez Martinez wrote:
> Hello folks.
>
> Could anyone post the procedure, file, ... to enable LDAP authentication
> against an external LDAP^server, with RT3 in linux.
>
> I know that is possible to authenticate users against an external LDAP
> server, I had been googling and searching in mail-lists, and I had found
> a lot of different references, too much references, but not very clear,
> and most of them refering to RT2, I wonder that it could be the same for
> RT3. This is the mainly reason of my request.
>
> Thanks in advance.
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> RT Administrator and Developer training is coming to your town soon!
> (Boston, San Francisco, Austin, Sydney) Contact
> training at bestpractical.com for details.
>
> Be sure to check out the RT Wiki at http://wiki.bestpractical.com
>
>
here is my RT_Siteconfig.pm and vbelow the lines from my httpd.conf
which does the actual authentication
#RNING: NEVER EDIT RT_Config.pm. Instead, copy any sections you want to
change to RT_SiteConfig.pm
# and edit them there.
#
package RT;
=head1 NAME
RT::Config
=for testing
use RT::Config;
=cut
$LDAPExternalAuth = 1;
$LdapServer="ldap......com";
$LdapUser="cn=admin,o=....";
$LdapPass="5equ0ia";
$LdapBase="";
$LdapUidAttr="uid";
$LdapFilter="(objectclass=*)";
$LdapTLS = 0;
$LdapGroup ="cn=NY-Everyone,ou=Groups,ou=NY,ou=TBWA,ou=NAM";
$LdapGroupAttribute = 'member';
# {{{ Base Configuration
# $rtname the string that RT will look for in mail messages to
# figure out what ticket a new piece of mail belongs to
# Your domain name is recommended, so as not to pollute the namespace.
# once you start using a given tag, you should probably never change it.
# (otherwise, mail for existing tickets won't get put in the right place
Set($rtname , "helpdesk......com");
# You should set this to your organization's DNS domain. For example,
# fsck.com or asylum.arkham.ma.us. It's used by the linking interface to
# guarantee that ticket URIs are unique and easy to construct.
Set($Organization , "....com");
# $user_passwd_min defines the minimum length for user passwords. Setting
## it to 0 disables this check
Set($MinimumPasswordLength , "5");
# $Timezone is used to convert times entered by users into GMT and back
again
# It should be set to a timezone recognized by your local unix box.
Set($Timezone , 'US/Eastern');
# }}}
# }}}
# {{{ Database Configuration
# Database driver beeing used. Case matters
# Valid types are "mysql", "Oracle" and "Pg"
Set($DatabaseType , 'mysql');
# The domain name of your database server
# If you're running mysql and it's on localhost,
# leave it blank for enhanced performance
Set($DatabaseHost , '');
Set($DatabaseRTHost , '');
# The port that your database server is running on. Ignored unless it's
# a positive integer. It's usually safe to leave this blank
Set($DatabasePort , '');
#The name of the database user (inside the database)
Set($DatabaseUser , 'root');
# Password the DatabaseUser should use to access the database
Set($DatabasePassword , 'm4dne55');
# The name of the RT's database on your database server
Set($DatabaseName , 'rtnew');
# If you're using Postgres and have compiled in SSL support,
# set DatabaseRequireSSL to 1 to turn on SSL communication
Set($DatabaseRequireSSL , undef);
# }}}
# {{{ Incoming mail gateway configuration
# OwnerEmail is the address of a human who manages RT. RT will send
# errors generated by the mail gateway to this address. This address
# should _not_ be an address that's managed by your RT instance.
Set($OwnerEmail , 'root');
# If $LoopsToRTOwner is defined, RT will send mail that it believes
# might be a loop to $RT::OwnerEmail
Set($LoopsToRTOwner , 1);
# If $StoreLoopss is defined, RT will record messages that it believes
# to be part of mail loops.
# As it does this, it will try to be careful not to send mail to the
# sender of these messages
Set($StoreLoops , undef);
# $MaxAttachmentSize sets the maximum size (in bytes) of attachments stored
# in the database.
# For mysql and oracle, we set this size at 10 megabytes.
# If you're running a postgres version earlier than 7.1, you will need
# to drop this to 8192. (8k)
Set($MaxAttachmentSize , 10000000);
# $TruncateLongAttachments: if this is set to a non-undef value,
# RT will truncate attachments longer than MaxAttachmentLength.
Set($TruncateLongAttachments , undef);
# $DropLongAttachments: if this is set to a non-undef value,
# RT will silently drop attachments longer than MaxAttachmentLength.
Set($DropLongAttachments , undef);
# If $ParseNewMessageForTicketCcs is true, RT will attempt to divine
# Ticket 'Cc' watchers from the To and Cc lines of incoming messages
# Be forewarned that if you have _any_ addresses which forward mail to
# RT automatically and you enable this option without modifying
# "RTAddressRegexp" below, you will get yourself into a heap of trouble.
Set($ParseNewMessageForTicketCcs , undef);
# RTAddressRegexp is used to make sure RT doesn't add itself as a ticket
CC if
# the setting above is enabled.
Set($RTAddressRegexp , '^steve.rieger\@.....com$');
# RT provides functionality which allows the system to rewrite
# incoming email addresses. In its simplest form,
# you can substitute the value in CanonicalizeEmailAddressReplace
# for the value in CanonicalizeEmailAddressMatch
# (These values are passed to the CanonicalizeEmailAddress subroutine in
RT/User.pm)
# By default, that routine performs a s/$Match/$Replace/gi on any
address passed to it
Set($CanonicalizeEmailAddressMatch , 'subdomain.....com$');
Set($CanonicalizeEmailAddressReplace , '.....com');
# If $SenderMustExistInExternalDatabase is true, RT will refuse to
# create non-privileged accounts for unknown users if you are using
# the "LookupSenderInExternalDatabase" option.
# Instead, an error message will be mailed and RT will forward the
# message to $RTOwner.
#
# If you are not using $LookupSenderInExternalDatabase, this option
# has no effect.
#
# If you define an AutoRejectRequest template, RT will use this
# template for the rejection message.
Set($SenderMustExistInExternalDatabase , undef);
# }}}
# {{{ Outgoing mail configuration
# RT is designed such that any mail which already has a ticket-id associated
# with it will get to the right place automatically.
# $CorrespondAddress and $CommentAddress are the default addresses
# that will be listed in From: and Reply-To: headers of correspondence
# and comment mail tracked by RT, unless overridden by a queue-specific
# address.
Set($CorrespondAddress , 'tickets at ...com');
Set($CommentAddress , 'helpdesk-ny at ...com');
#Sendmail Configuration
# $MailCommand defines which method RT will use to try to send mail
# We know that 'sendmailpipe' works fairly well.
# If 'sendmailpipe' doesn't work well for you, try 'sendmail'
#
# Note that you should remove the '-t' from $SendmailArguments
# if you use 'sendmail rather than 'sendmailpipe'
Set($MailCommand , 'sendmailpipe');
# $SendmailArguments defines what flags to pass to $Sendmail
# assuming you picked 'sendmail' or 'sendmailpipe' as the $MailCommand
above.
# If you picked 'sendmailpipe', you MUST add a -t flag to $SendmailArguments
# These options are good for most sendmail wrappers and workalikes
Set($SendmailArguments , "-oi -t");
# These arguments are good for sendmail brand sendmail 8 and newer
#Set($SendmailArguments,"-oi -t -ODeliveryMode=b -OErrorMode=m");
# If you selected 'sendmailpipe' above, you MUST specify the path
# to your sendmail binary in $SendmailPath.
# !! If you did not # select 'sendmailpipe' above, this has no effect!!
Set($SendmailPath , "/usr/sbin/sendmail");
# By default, RT sets the outgoing mail's "From:" header to
# "SenderName via RT". Setting this option to 0 disables it.
Set($UseFriendlyFromLine , 1);
# sprintf() format of the friendly 'From:' header; its arguments
# are SenderName and SenderEmailAddress.
Set($FriendlyFromLineFormat , "\"%s via RT\" <%s>");
# RT can optionally set a "Friendly" 'To:' header when sending messages to
# Ccs or AdminCcs (rather than having a blank 'To:' header.
# This feature DOES NOT WORK WITH SENDMAIL[tm] BRAND SENDMAIL
# If you are using sendmail, rather than postfix, qmail, exim or some
other MTA,
# you _must_ disable this option.
Set($UseFriendlyToLine , 0);
# sprintf() format of the friendly 'From:' header; its arguments
# are WatcherType and TicketId.
Set($FriendlyToLineFormat, "\"%s of $RT::rtname Ticket #%s\":;");
# By default RT doesn't notify the person who performs an update, as they
# already know what they've done. If you'd like to change this behaviour,
# Set $NotifyActor to 1
Set($NotifyActor, 1);
# }}}
# {{{ Logging
# Logging. The default is to log anything except debugging
# information to syslog. Check the Log::Dispatch POD for
# information about how to get things by syslog, mail or anything
# else, get debugging info in the log, etc.
# It might generally make
# sense to send error and higher by email to some administrator.
# If you do this, be careful that this email isn't sent to this RT instance.
# the minimum level error that will be logged to the specific device.
# levels from lowest to highest:
# debug info notice warning error critical alert emergency
# Mail loops will generate a critical log message.
#Set($LogToSyslog , 'debug');
#Set($LogToScreen , 'info');
Set($LogToFile , 'debug');
Set($LogDir, '/usr/local/rt3/var/log');
Set($LogToFileNamed , "rt.log"); #log to rt.log
# On Solaris, set to ( socket => 'inet' ). Options here override any
# other options RT passes to Log::Dispatch::Syslog. Other interesting
# flags include facility and logopt. (See the Log::Dispatch::Syslog
# documentation for more information.) (Maybe ident too, if you have
# multiple RT installations.)
#socket => 'inet'
@LogToSyslogConf = () unless (@LogToSyslogConf);
# }}}
# {{{ Web interface configuration
# Define the directory name to be used for images in rt web
# documents.
# If you're putting the web ui somewhere other than at the root of
# your server
# $WebPath requires a leading / but no trailing /
Set($WebPath , "");
# This is the Scheme, server and port for constructing urls to webrt
# $WebBaseURL doesn't need a trailing /
Set($WebBaseURL , "http://........com");
Set($WebURL , $WebBaseURL . $WebPath . "/");
# $WebImagesURL points to the base URL where RT can find its images.
Set($WebImagesURL , $WebURL . "NoAuth/images/");
# $RTLogoURL points to the URL of the RT logo displayed in the web UI
Set($LogoURL , $WebImagesURL . "rt.jpg");
# For message boxes, set the entry box width and what type of wrapping
# to use.
#
# Default width: 72
Set($MessageBoxWidth , 72);
# Default wrapping: "HARD" (choices "SOFT", "HARD")
Set($MessageBoxWrap, "HARD");
# if TrustHTMLAttachments is not defined, we will display them
# as text. This prevents malicious HTML and javascript from being
# sent in a request (although there is probably more to it than that)
Set($TrustHTMLAttachments , undef);
# If $WebExternalAuth is defined, RT will defer to the environment's
# REMOTE_USER variable.
Set($WebExternalAuth , "true");
# If $WebFallbackToInternalAuth is undefined, the user is allowed a chance
# of fallback to the login screen, even if REMOTE_USER failed.
Set($WebFallbackToInternalAuth , "true");
# $WebExternalGecos means to match 'gecos' field as the user identity);
# useful with mod_auth_pwcheck and IIS Integrated Windows logon.
Set($WebExternalGecos , undef);
# $WebExternalAuto will create users under the same name as REMOTE_USER
# upon login, if it's missing in the Users table.
Set($WebExternalAuto , "true");
# $WebSessionClass is the class you wish to use for managing Sessions.
# It defaults to use your SQL database, but if you are using MySQL 3.x and
# plans to use non-ascii Queue names, uncomment and add this line to
# RT_SiteConfig.pm will prevent session corruption.
# Set($WebSessionClass , 'Apache::Session::File');
# $MaxInlineBody is the maximum attachment size that we want to see
# inline when viewing a transaction. 13456 is a random sane-sounding
# default.
Set($MaxInlineBody, 13456);
# $MyTicketsLength is the length of the owned tickets table on the
# front page. For some people, the default of 10 isn't big enough
# to get a feel for how much work needs to be done before you get
# some time off.
Set($MyTicketsLength, 10);
# $MyRequestsLength is the length of the requested tickets table
# on the front page.
Set($MyRequestsLength, 10);
# @MasonParameters is the list of parameters for the constructor of
# HTML::Mason's Apache or CGI Handler. This is normally only useful
# for debugging, eg. profiling individual components with
# (preamble => 'my $p = MasonX::Profiler->new($m, $r);');
@MasonParameters = () unless (@MasonParameters);
# }}}
# {{{ RT UTF-8 Settings
# An array that contains languages supported by RT's internationalization
# interface. Defaults to all *.po lexicons; set it to qw(en ja) will make
# RT bilingual instead of multilingual, but will save same memory.
@LexiconLanguages = qw(*) unless (@LexiconLanguages);
# An array that contains default encodings used to guess which charset
# an attachment uses if not specified. Must be recognized by
# Encode::Guess.
@EmailInputEncodings = qw(utf-8 iso-8859-1 us-ascii) unless
(@EmailInputEncodings);
# The charset for localized email. Must be recognized by Encode.
Set($EmailOutputEncoding , 'utf-8');
# }}}
# {{{ RT Date Handling Options (for Time::ParseDate)
# Set this to 1 if your local date convention looks like "dd/mm/yy"
# instead of "mm/dd/yy".
Set($DateDayBeforeMonth , 1);
# Should "Tuesday" default to meaning "Next Tuesday" or "Last Tuesday"?
# Set to 0 for "Next" or 1 for "Last".
Set($AmbiguousDayInPast , 1);
# }}}
1;
httpd.conf
ServerName helpdesk.....com
DocumentRoot /usr/local/rt3/share/html
AddDefaultCharset UTF-8
PerlModule Apache::DBI
PerlRequire /usr/local/rt3/bin/webmux.pl
<Location />
SetHandler perl-script
PerlHandler RT::Mason
AuthName "RT Web Users"
AuthType Basic
AuthLDAPAuthoritative off
AuthLDAPurl ldap://ldap.....com/?cn?sub
require valid-user
</Location>
ErrorLog /var/log/helpdesk-error.log
CustomLog /var/log/helpdesk-access.log common
CustomLog /var/log/helpdesk-combined.log combined
</VirtualHost>
More information about the rt-users
mailing list